Penetration Testing mailing list archives

Re: Vulnerability scanners

From: Alex Russell <alex () netWindows org>
Date: Thu, 27 Mar 2003 15:51:45 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 27 March 2003 12:58 pm, Jeff Williams @ Aspect wrote:

Let's assume that you're talking about 256 IPs (based on Qualys'
published pricing), and you want to scan weekly.  That's at least a day a
week of effort for someone (probably more to generate a very nice report
and summaries).  The cost of a full-time sysadmin (including salary,
benefits, office, etc...) probably costs well north of $100K.  You'd have
to include some equipment costs in there.  So I doubt you could do it
much cheaper. I think vulnerability scanning is a reasonable thing to
outsource for companies that are not in the security or networking field
already.


This sounds like a false economy to me.

First: how does the Qualis box remove the need for a sysadmin? It's just one 
more appliance to manage, and something your existing admin should be able 
to do anyway. And if you already didn't have an admin, you'd need one now 
that you're thinking in terms of security. No extra cost here (aside from 
incremental admin time).

Secondly: if you've got a trained monkey doing your report generation, then 
you're right about the costs. If, however, you have a developer automate 
most of that, then you can add more nodes to be scanned at much lower 
incremental cost (change a config file). Additionally, using public 
signature sets may have downsides, but using Open Source tools is good both 
for your own internal flexiblity and for the world at large (checks aren't 
quite right? set that developer to work writing and contributing back 
better ones!).

All in all, your initial costs to do it in house with smart people and Open 
Source tools might be higher, but your incremental costs do not grow at 
nearly the same rate. OTOH, if you don't have any admins or developers, 
then Qualys might look like a very nice option.

HTH

- -- 
Alex Russell
alex () netWindows org
alex () SecurePipe com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+g3J/oV0dQ6uSmkYRAvN6AJ44Qwzu3sSypJkLDRbl1W1ZjrrnswCZASf0
m88qoVsnBJR2vt7vXZaYyKc=
=kMak
-----END PGP SIGNATURE-----


top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1

Current thread:

Vulnerability scanners Dan Lynch (Mar 27)
- RE: Vulnerability scanners Rob Shein (Mar 27)
- Re: Vulnerability scanners Anders Thulin (Mar 28)
- <Possible follow-ups>
- Re: Vulnerability scanners oherrera (Mar 27)
- Re: Vulnerability scanners Jeff Williams @ Aspect (Mar 27)
  - Re: Vulnerability scanners Alvin Oga (Mar 27)
  - RE: Vulnerability scanners Rob Shein (Mar 27)
  - Re: Vulnerability scanners Alex Russell (Mar 27)
  - Re: Vulnerability scanners Nicolas Gregoire (Mar 27)
  - Re: Vulnerability scanners R. DuFresne (Mar 27)
- RE: Vulnerability scanners Ken Smith (Mar 27)
- RE: Vulnerability scanners Rosado, Rafael (Rafael) (Mar 27)
- RE: Vulnerability scanners Rosado, Rafael (Rafael) (Mar 27)
- Re: Vulnerability scanners Jeff Williams @ Aspect (Mar 27)
- Re: Vulnerability scanners Chris Sharp (Mar 27)
  - Re: Vulnerability scanners R. DuFresne (Mar 27)
- Re: Vulnerability scanners Paris Stone (Mar 27)
  - RE: Vulnerability scanners Michael Welch (Mar 27)

(Thread continues...)